Karmen Ransomware Deletes Decryptor Component When Detecting a Sandbox Environment or Analysis Software
A recently discovered Hidden Tear ransomware offspring is being sold on underground forums as a Ransomware-as-a-Service (RaaS), priced at just $175, Recorded Future researchers reveal.
Dubbed Karmen, the malware appears to have been around since December 2016, when incidents involving it were reported in Germany and the United States. However, the threat started being advertised on underground forums only in March.
After having a closer look at the malware, Recorded Future security researchers discovered that it is derived from the Hidden Tear open source ransomware. They also found out that Karmen was using the AES-256 encryption protocol for the encryption of targeted files on the local machine.
Just as any other ransomware, the threat displays a ransom note with instructions for the victim to pay a specific sum of money to obtain the decryption key. Unlike other similar threats, however, the malware automatically deletes the decryptor when detecting a sandbox environment or analysis software.
Wannabe-criminals buying the ransomware are provided the option to change various settings courtesy of a control panel that doesn’t require advanced technical knowledge to operate. They can also track infected systems via a “Clients” page. A Dashboard offers information such as the number of infected machines, earned revenue, and available updates for the malware.
Karmen is a multi-threaded, multi-language piece of ransomware that supports .NET 4.0 and newer versions and features an adaptive admin panel, researchers say. The malware can encrypt all discs and files, automatically deletes the loader, and features sandbox, debugger, and virtualization detection. Karmen can delete itself after ransom is paid, but also deletes the decryptor if it detects it is being analyzed.
The threat is sold in two versions, namely Light and Full. The former only includes obfuscation and autoloader, while the latter also packs the anti-analysis detection capabilities. While .NET dependent, the malware also requires PHP 5.6 and MySQL.